Bug 1242467 (abrt-hook-ccpp_SELinux)
| Summary: | SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christopher Meng <i> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 23 | CC: | adam, debugger94, decathorpe, dominick.grift, dwalsh, fraph24, jankowalski25, jfrieben, jones.peter.busi, juliux.pigface, lvrabec, mgrepl, mikhail.v.gavrilov, nicolas.mailhot, plautrba, sanjay.ankur, weaine | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:e6d10fcd6f18e995dfe405a4aefb445f20ab0971bcc32b9d72dad9e065f8049f | ||||||
| Fixed In Version: | selinux-policy-3.13.1-150.fc23 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-10-13 00:05:08 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23 This bug is present in F22 too and often prevents abrt from generating backtrace information. Created attachment 1070005 [details]
selinux-policy messages
Got it in FC22. I was using wifi. I got the message when the wifi dropped out and I reselected. No login is required for this wifi.
My selinux versions are:
libselinux-python3-2.3-10.fc22.x86_64
selinux-policy-3.13.1-128.12.fc22.noarch
libselinux-2.3-10.fc22.i686
rpm-plugin-selinux-4.12.0.1-12.fc22.x86_64
libselinux-utils-2.3-10.fc22.x86_64
selinux-policy-targeted-3.13.1-128.12.fc22.noarch
libselinux-2.3-10.fc22.x86_64
libselinux-python-2.3-10.fc22.x86_64
.
*** Bug 1243743 has been marked as a duplicate of this bug. *** *** Bug 1259986 has been marked as a duplicate of this bug. *** *** Bug 1260011 has been marked as a duplicate of this bug. *** Description of problem: (gdm crash if boot in enforcing mode) Version-Release number of selected component: selinux-policy-3.13.1-148.fc24.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.3.0-0.rc2.git0.1.fc24.x86_64 type: libreport Description of problem: I encountered this issue after a of crash of spice-vdagentd. There are various report which sound similar, so please forgive me if this is a duplicate. Version-Release number of selected component: selinux-policy-3.13.1-147.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.1-300.fc23.i686 type: libreport *** Bug 1268639 has been marked as a duplicate of this bug. *** selinux-policy-3.13.1-150.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5 selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5 selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing abrt-hook-ccpp from using the 'sigchld' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-hook-ccpp should be allowed sigchld access on processes labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-hook-ccpp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ process ] Source abrt-hook-ccpp Source Path abrt-hook-ccpp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-135.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-0.rc1.git3.1.fc23.x86_64 #1 SMP Fri Jul 10 19:49:28 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-07-13 19:49:23 CST Last Seen 2015-07-13 19:49:23 CST Local ID 5e09d0ea-2472-46b4-b45a-919a4ca9d265 Raw Audit Messages type=AVC msg=audit(1436788163.776:575): avc: denied { sigchld } for pid=2561 comm="abrt-hook-ccpp" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=0 Hash: abrt-hook-ccpp,xdm_t,kernel_t,process,sigchld Version-Release number of selected component: selinux-policy-3.13.1-135.fc23.noarch Additional info: reporter: libreport-2.6.1 hashmarkername: setroubleshoot kernel: 4.2.0-0.rc1.git3.1.fc23.x86_64 type: libreport